Security update for apache2-mod_nss

SUSE Security Update: Security update for apache2-mod_nss
Announcement ID: SUSE-SU-2016:2396-1
Rating: moderate
References: #972968 #975394 #979688
Affected Products:
  • SUSE Linux Enterprise Server for SAP 12
  • SUSE Linux Enterprise Server 12-LTSS
    		•

    An update that fixes four vulnerabilities is now available.

    Description:


    This update provides apache2-mod_nss 1.0.14, which brings several fixes
    and enhancements:

    - Fix OpenSSL ciphers stopped parsing at +. (CVE-2016-3099)
    - Created valgrind suppression files to ease debugging.
    - Implement SSL_PPTYPE_FILTER to call executables to get the key password
    pins.
    - Improvements to migrate.pl.
    - Update default ciphers to something more modern and secure.
    - Check for host and netstat commands in gencert before trying to use them.
    - Add server support for DHE ciphers.
    - Extract SAN from server/client certificates into env
    - Fix memory leaks and other coding issues caught by clang analyzer.
    - Add support for Server Name Indication (SNI).
    - Add support for SNI for reverse proxy connections.
    - Add RenegBufferSize? option.
    - Add support for TLS Session Tickets (RFC 5077).
    - Fix logical AND support in OpenSSL cipher compatibility.
    - Correctly handle disabled ciphers. (CVE-2015-5244)
    - Implement a slew more OpenSSL cipher macros.
    - Fix a number of illegal memory accesses and memory leaks.
    - Support for SHA384 ciphers if they are available in NSS.
    - Add compatibility for mod_ssl-style cipher definitions.
    - Add TLSv1.2-specific ciphers.
    - Completely remove support for SSLv2.
    - Add support for sqlite NSS databases.
    - Compare subject CN and VS hostname during server start up.
    - Add support for enabling TLS v1.2.
    - Don't enable SSL 3 by default. (CVE-2014-3566)
    - Fix CVE-2013-4566.
    - Move nss_pcache to /usr/libexec.
    - Support httpd 2.4+.
    - SHA256 cipher names change spelling from *_sha256 to *_sha_256.
    - Use apache2-systemd-ask-pass to prompt for a certificate passphrase.
    (bsc#972968, bsc#975394)

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Server for SAP 12:
      zypper in -t patch SUSE-SLE-SAP-12-2016-1391=1
    • SUSE Linux Enterprise Server 12-LTSS:
      zypper in -t patch SUSE-SLE-SERVER-12-2016-1391=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Server for SAP 12 (x86_64):
      • apache2-mod_nss-1.0.14-10.14.3
      • apache2-mod_nss-debuginfo-1.0.14-10.14.3
      • apache2-mod_nss-debugsource-1.0.14-10.14.3
    • SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64):
      • apache2-mod_nss-1.0.14-10.14.3
      • apache2-mod_nss-debuginfo-1.0.14-10.14.3
      • apache2-mod_nss-debugsource-1.0.14-10.14.3

    References: